January 14, 2009

In Depth: Enterprise Risk Management.The Age of ERM.BMO Taps Compliance Tool for ERM.Boosting the ROI on AML.
Trade secrets and intellectual property are perhaps two of the areas most overlooked at banks. However, now that the industry is facing unprecedented change, financial institutions would be wise to turn their attention toward protecting such proprietary information -- especially as it relates to erstwhile employees, says attorney Bradford Newman, chair of the Silicon Valley Employment Law Department and leader of the International Employee Mobility and Trade Secrets practice with the law firm Paul Hastings Janofsky & Walker LLP (New York).

"Most global financial institutions have fairly robust data usage policies. What's different now," Newman says, "is that we're seeing an unheralded number of employees being laid off at one time -- they are transitory. Banks need to recognize that when they have this kind of employee movement, controlling their data is of paramount importance." It's not unheard for laid-off workers to seek a position with a competitor of their former employer, he notes.

The key is accounting for all the company data that employees possess. Banks must ask themselves who owns the data, Newman advises. "The type of commercially sensitive, nonpublic information employees possess can be so complex," he explains. "There are thumb drives and printouts. It's so easy for people to do this. [This data] can be lying around someone's house innocuously too." After all, data loss isn't always the result of a concerted, malicious effort by a rogue employee.

Information on technology, trademarks, customer lists, finances, strategy, prototypes and M&A plans are all at great risk of falling into the wrong hands. "And look at the TARP banks," Newman comments. "They don't want their identities disclosed. But a departing employee who was laid off may know if their former employer was a TARP bank. This is a highly valuable trade secret."

To prevent such scenarios from coming to pass, banks and other companies have relied on having new employees sign non-compete or nondisclosure agreements upon hire. Newman says these documents really mean nothing. "If you're on your way out and you sign something saying you'll abide by a form you signed two years ago, that doesn't mean anything. You may have six thumb drives with company data sitting at home. If employees aren't asked for this data, they won't say anything."

One way some of the more sophisticated financial institutions get around this, explains Newman, is by making return of the data a condition of receiving one's severance package. Departing employees certify whether they have company data, and if they do they agree to comply with the company's requests to return that data within a certain time frame.

The first step in keeping data where it belongs -- within the confines of the company -- is to find ways to manage it effectively. Newman notes that there are a variety of technologies that can help banks and other firms accomplish this. "One thing to do is to identify your high-risk departures. You image their PCs forensically and create a library of images of their machines," he explains. By referencing such a library, it may be possible for a bank to infer whether a former employee is implementing proprietary initiatives at a competing firm.

Newman also emphasizes the importance of access control on company servers, which enables a bank to ascertain whether people attempting to access data are authorized and doing so in the proper manner.

When it comes to portable storage devices, like thumb drives, rather than prohibiting them outright, task someone from IT to create a library of storage devices and require employees to sign out the cataloged devices, suggests Newman.

Keystroke-capture software, Internet site monitoring and checking phone call logs are other methods that can be used to protect trade secrets and data, but with care. "You have overlapping and conflicting laws here with regard to privacy, employment law and IT storage," Newman relates. "But even the financial institutions doing the layoffs don't want to see news articles discussing the theft of their trade secrets and having their security processes vetted publicly."

Newman believes banks do understand the importance of protecting this information when it is in the hands of employees. Closer inspection, however, often reveals many gaps in the protective umbrella. "Once you make banks understand that non-compete forms are not enough, then they get it. Most banks do have good data security practices. But to recover that data from the thousands of employees across the globe is a new risk," he explains.

In essence, protecting company secrets is a personnel issue, Newman states. "This is the movement of data with employees. Most [human resources] folks don't initially see it that way. Once they do, they team up with the internal IT folks for a solution. But companies first have to ask themselves what their trade secrets are, where the most at-risk secrets lie, and, in connection with the recent layoffs, how they can reduce the risk of disclosure and maximize the chance of recovering the data."

ABOUT THE AUTHOR